Known Actively Exploited Vulnerabilities Round-up (28.06.24-04.07.24)

This article covers recent vulnerabilities found to be actively exploited. They are categorised based not only on the category of exploitation, but their impact, and versions affected. This article also informs on any official fix and remediation guidance for the listed vulnerabilities.

 

CVE-2024-6387

Category: Race Condition

 

Versions Affected:

  • OpenSSH versions earlier than 4.4p1 (unless they are patched for CVE-2006-5051 and CVE-2008-4109);
  • OpenSSH versions from 8.5p1 up to, but not including, 9.8p1.

 

This seems to affect glibc-based Linux systems and not e.g. musl-based systems. Impacted products and operating systems are known to include at least the below:

  • Red Hat Enterprise Linux 9
  • Debian Linux 11
  • Arch Linux
  • Amazon Linux 2023 < 2024-06-26
  • Slackware Linux
  • Gentoo Linux < 9.7_p1-r6
  • Ubuntu Linux 24.04 LTS, 23.10, and 22.04 LTS
  • Multiple other Operating Systems and Network Devices.

 

(OpenBSD is NOT currently believed to be affected.)

 

Vulnerability Summary:

A signal handler race condition was found in OpenSSH’s server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd’s SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). This race condition affects sshd in its default configuration.

This vulnerability is in fact a regression of CVE-2006-5051, which was reported in 2006 – although the flaw was fixed it has since reappeared in a subsequent software release, via a code change that inadvertently reintroduced the issue. This regression was introduced in October 2020 (OpenSSH 8.5p1) by commit 752250c (“revised log infrastructure for OpenSSH”), which accidentally removed an “#ifdef DO_LOG_SAFE_IN_SIGHAND” from sigdie(), a function that is directly called by sshd’s SIGALRM handler.

 

Official Fix & Remediation Guidance:

Update to the latest version. After upgrading to openssh-9.8p1, the existing SSH daemon will be unable to accept new connections on some systems. When upgrading remote hosts, please make sure to restart the sshd service using systemctl try-restart sshd or appropriate system-specific command directly after upgrading.

NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.

 

 

CVE-2024-20399

Category: Command Injection

 

Versions Affected:

At the time of publication, this vulnerability affected the following Cisco products if they were running a vulnerable release of Cisco NX-OS Software:

  • Cisco MDS 9000 Series Multilayer Switches (CSCwj97007)
  • Cisco Nexus 3000 Series Switches (CSCwj97009)1
  • Cisco Nexus 5500 Platform Switches (CSCwj97011)
  • Cisco Nexus 5600 Platform Switches (CSCwj97011)
  • Cisco Nexus 6000 Series Switches (CSCwj97011)
  • Cisco Nexus 7000 Series Switches (CSCwj94682)2
  • Cisco Nexus 9000 Series Switches in standalone NX-OS mode (CSCwj97009)

 

 

Vulnerability Summary:

Although NX-OS is based on a Linux kernel, it abstracts away the underlying Linux environment and provides its own set of commands using the NX-OS CLI. In order to execute commands on the underlaying Linux operating system from the Switch management console, an attacker would need a “jailbreak” type of vulnerability to escape the NX-OS CLI context.

A vulnerability in the CLI of Cisco NX-OS Software allows exactly this kind of jaailbreak, due to insufficient validation of arguments that are passed to specific configuration CLI commands. An attacker could exploit this vulnerability by including crafted input as the argument of an affected configuration CLI command. A successful exploit could allow the attacker to escape the NX-OS CLI and execute arbitrary commands on the Linux underlaying operating system.

 

Official Fix & Remediation Guidance:

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. Customers are advised to upgrade to the latest version of the impacted product.

NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.

 


 

That wraps up another week for high-profile vulnerabilities. Next week is likely to be especially exciting with the next monthly ‘Patch Tuesday‘ falling on July 9th, and likely to include high-profile patches for critical exploits from vendors including Microsoft and Google. Add it to your calendars now!

 

About AppCheck

AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).

Get started with Appcheck

No software to download or install.

Contact us or call us 0113 887 8380

Start your free trial

Your details
IP Addresses
URLs

Get in touch

Please enable JavaScript in your browser to complete this form.
Name